SB2017081422 - Stack-based buffer overflow in libsoup (Alpine package)
Published: August 14, 2017
Security Bulletin ID
SB2017081422
Severity
High
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Stack-based buffer overflow (CVE-ID: CVE-2017-2885)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.The weakness exists in the in the libsoup library for GNOME due to improper bounds checking when processing a crafted HTTP request containing chunk encoded data. A remote attacker can send a specially crafted HTTP request, trigger a stack-based buffer overflow condition in the soup_body_input_stream_read_chunked function in the libsoup/soup-body-input-stream.c code and execute arbitrary code with privileges of the current user.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=8e6d8b010f1e439ab87a028379aff20da95eb2c4
- https://git.alpinelinux.org/aports/commit/?id=dda4496be9df796314f44ebdcb532227ae559e7b
- https://git.alpinelinux.org/aports/commit/?id=f1acd9476c060b33c8f08a571a5ee38bcf983bbc
- https://git.alpinelinux.org/aports/commit/?id=5c0563d9b61e3239c37147f4656ca8586e6512f3
- https://git.alpinelinux.org/aports/commit/?id=d09120c774904bcf1077c59ae30f04962ad8ff9a
- https://git.alpinelinux.org/aports/commit/?id=16649bcca066db87c70f1ddc537c58b5c76773e6
- https://git.alpinelinux.org/aports/commit/?id=61eaf19e65cf7177aede4717f8e41999867b61ab
- https://git.alpinelinux.org/aports/commit/?id=8e4a3505d8a5787b7b22cc3619d331a482c586cc
- https://git.alpinelinux.org/aports/commit/?id=96c3339a9f315462505407b976df2e9ae12e39a7